Multifactor Authentication: Past, Present, and Future

This document is confidential and is intended solely for use by its original recipient for informational purposes. Neither the document nor any of the information contained in this document may be reproduced or disclosed to other persons without the prior written approval of Scio Security, Inc.

Multifactor AuthenticationPast, Present, and Future

Jon Oberheide

CTO, Scio Security

Slide # 2Jon Oberheide - Multifactor Authentication - Merit Member Conference 2010

Audience Survey

1. How many currently deploy multifactor authentication (MFA) in some form?

2. How many have MFA on their roadmap for the next year?

3. How many would like to deploy MFA if they had unlimited time and resources?


Agenda

• A Brief Intro to Multifactor Auth

• The DOs and DON'Ts of MFA

• Application to Real-World Incidents

• Wrap-up


Credential Theft

1. We suck at naming!

2. Attackers have discovered that stealing user credentials is the path of least resistance into an organization.

Bots, RAT, APT, SAG, phishing, vishing, smishing, pharming, whaling, ...


The Evolution of Threats

The integrity of your organization's credentials hinges on the ability for an attacker to make a 3-line modification to his configuration file.

Sophisticated credential stealing attack tools are now a commodity and are publicly available:

Snippet from the configuration file of a “Silent Banker” malware sample:


Multifactor Authentication

• Multiple factors → increased security

• Factor classifications– “What you know”– “What you are”– “What you have”


“What you know”

• Knowledge-based– “what you know”

• Common examples– Passwords

– Security questions

• Pros:– No special equipment

• Cons:– Easily phishable

– User memory burden


Sarah Palin's Email


Password Reset Nightmare


“What you are”

• Biometrics– “what you are”

• Common examples– Fingerprint

– Voice recognition– Retina scan

• Pros:– No memory burden

• Cons:– Expensive equipment

– Often fails when subjectedto scrutiny (eg. Thinkpads)


“What you have”

• Knowledge-based: too weak• Biometric: too expensive / unavailable

• What about a physical item you possess?• Example: ATM access

– Card (what you have) + PIN (what you know)

– Used to be an effective combination


“What you have”

• Common examples– Digital certs– Smart cards

– USB tokens

– OTP generators

– ...

• Pros:– Should be resistant to

phishing, credential theft

• Cons:– Hardware can be costly

– You can lose the “what you have”

– Limited capabilitiesagainst advanced threats


Enter Mobile Devices

• Why not use a mobile phone instead for MFA?– Adoption is soaring

(4.6 billion subscribers)

• No hardware costs– $50/user hardware token

vs. free software token

• Wide range of capabilities– OTP generator via mobile apps

– Out of band voice / SMS

– Persistent data connection → security, usability, TIV


Agenda




• Wrap-up


Properties of Good MFA

• Secure Against what threats?

Passive Phishing / Keyloggers

Soft / HardOTP Tokens

Active Phishing /Remote Access Trojans

Out of BandVoice / SMS

Threat MFA Defense

Man-in-the-Browser (MITB) Attacks

OOB w/Transaction Verification


Raising the Security Bar

• Based on real threat models, not obfuscation

• Beware of security theater– Inconvenience != security

DO: Raise the bar for attackers

DON'T: Raise it an inch



Good example:

• Mobile Auth Agent– Secure, real-time channel:

Desktop ↔ Mobile device

• Attacker must now– Compromise your desktop– Compromise your phone– Collude between the two devices



Bad example: the bouncing keyboard



• Secure

• Usable

Users are great at bypassing annoying security mechanisms.


Make It Usable

• Give users flexibility– Based on preference,

environment, etc

DO: Make it usable by mere mortals

DON'T: Deploy MFA users can't understand

DumbDevice

SmartDevice

Offline

Online

Mobile Auth Agent

Hard Tokens

Soft Tokens

Voice/SMS


Make It Usable

Good example: a choice of factors


Make It Usable

Bad example: what is this I don't even...



• Secure

• Usable

• Low supportburden and cost

Hopefully not the size of your help desk call center


Easy on Admins

• Provisioning users with new/replacement tokens can be a costly pain

• On-premise equipment can be expensive, inflexible

DO: Reduce TCO with a low-touch service

DON'T: Swamp your help desk / support line


Easy on Admins

VS.

Bad example:Good example:


Agenda




• Wrap-up


Case Studies

• Spear phishing for remote access

• Internal IT access control

• Protecting sensitive transactions


Spear Phishing


Spear Phishing

Legitimate site or phishing site?


Interesting Observations

• Email characteristics– umich.edu from address

– Legitimate looking weblogin/webmail URL

– UofM block-M logo

• Phishing site characteristics– Matches style of legitimate weblogin site

– Redirect to real weblogin after successful phish

• Customized, but widespread targets


Attackers Getting Clever...

1. Attackers phish user credentials

2. Attackers use credentials to access off-campus VPN remote access services.

3. Attackers send spam via authenticated SMTP and internal UofM IPs

What's more interesting comes AFTER the phishing attack has succeeded.

These attackers have gained knowledge of specific University IT infrastructure.


VPN Remote Access

• Traditional perimeter model– Physical boundary to internal network

• VPN perimeter model– VPN gateway acts as the new boundary– Inside perimeter tends to be more soft and

gooey...as much as we don't like to admit it

• Securing VPN remote access is key


Multifactor Options?

• SSL VPNs are a great MFA integration point– Exposes a web interface to user– Allows for interaction, selection of factors

DEMO!


Case Studies





Internal IT Intrusions

“We are suffering the mother of all security incidents here...to the extent that when I came in this morning, I unplugged the fiber from our machine room. We had to destroy X in order to save it.”

- IT Administrator


Post-Intrusion Forensics

• Entry point– ssh brute-force attempts– Weak user password

• Salt in the wound– Privilege escalation

– Trojaned ssh client and server


Backdoored SSH

Backdoored ssh client and sshd server dumping user credentials to disk and sending to a remote address.



• How to protect internal servers?– PAM is a good integration point!

DEMO!


Case Studies





Sensitive Transactions

• Assume entry point is completely bypassed– eg. Cosign Weblogin vuln

• RO vs. RW mode– Allow common case of RO

– Challenge only upon sensitive RW operations

MFA doesn't have to be applied exclusively at a “login” stage.

Protection can instead be applied to individual sensitive transactions within an application.


Direct Deposit Verification



• Confirmation email?– No, attacker can delete it

• Require a hard/soft token?– Depends on frequency of transaction

• Voice callback is a good fit here• Similar use cases:

– Password reset, account activation, etc


Agenda




• Wrap-up


Take-Aways

• Attackers focusing on users as the weakest link instead of exploiting apps/OS

• Knowledge-based authentication aloneis insufficient for protecting access

• Secure, usable, affordable MFA is possible– But beware the crazies!


Thank you

Jon Oberheide

@jonoberheide

[email protected]

http://sciosecurity.com

QUESTIONS?

http://twitter.com/jonoberheide

mailto:[email protected]

http://sciosecurity.com/

Multifactor Authentication: Past, Present, and Future

Documents

Transcript of Multifactor Authentication: Past, Present, and Future